State Department employee phones hacked through NSO Group spyware: report

The phones of at least nine State Department employees were recently hacked through the use of spyware from Israeli company NSO Group, a report published Friday found.

Reuters cited four people “familiar with the matter” in reporting that iPhones of the employees were hacked over the past several months. The individuals targeted were based in Uganda or working on issues involving Uganda. 

NSO Group disputed the findings, with a spokesperson telling The Hill in a statement Friday that while the company had taken steps to crack down on the customers involved in targeting the employees — who Reuters said it wasn’t able to identify — NSO had no reason to believe its products were involved. 

“Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations,” the spokesperson said. “To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case”

“On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have,” they said. “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case.”

A spokesperson for the State Department declined to confirm the hacking efforts to The Hill on Friday, but stressed that “generally speaking, the Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected.”

“Like every large organization with a global presence, we closely monitor cybersecurity conditions, and are continuously updating our security posture to adapt to changing tactics by adversaries,” the spokesperson said in a statement provided to The Hill. “As part of its commitment to put human rights at the center of U.S. foreign policy, the Biden-Harris Administration is taking action to stem the proliferation and misuse of digital tools used for repression.” 

Both NSO Group and Israeli company Candiru were added to the Commerce Department’s Entity List last month, effectively blacklisting the use of the companies’ products. The step was taken due to allegations that both NSO Group and Candiru had developed spyware programs and sold them to foreign governments to target individuals including dissidents and journalists, allegations that NSO Group has pushed back against. 

“This effort is aimed at improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance,” the State Department spokesperson said Friday. “NSO Group and Candiru were added to the Entity List because investigative information has shown that these companies developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, and academics.”

A spokesperson for the White House National Security Council also did not directly confirm the hacking, but reiterated concerns with NSO Group. 

“We have been acutely concerned that commercial spyware like NSO Group’s software poses a serious counterintelligence and security risk to U.S. personnel, which is one of the reasons why the Biden-Harris Administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce’s Entity List,” the NSC spokesperson said in a statement provided to The Hill. 

“The Biden-Harris Administration has mobilized a government-wide effort to counter and curb proliferation of these commercial hacking tools, which have been used to further transnational repression and human rights abuses and represent a counterintelligence and security threat for U.S. officials,” they said. 

The report came a week after Apple sued NSO Group due to allegations that its Pegasus spyware product was being used to target and surveil Apple product users. Apple issued emergency security updates for many of its products earlier this year following the discovery of a vulnerability that allowed NSO Group spyware to infect Apple products. 

A spokesperson for Apple declined to comment on the new NSO Group hacking allegations, pointing instead to the lawsuit. 

“The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” Ivan Krstić, head of Apple Security Engineering and Architecture, said in a statement last week when the lawsuit was announced. 

NSO Group has been a key company involved in surveillance concerns in recent years. WhatsApp accused the group of allowing its product to be used to target government officials in 2019, and Reuters reported last year that the FBI was investigating the group.